The same group behind the SolarWinds supply-chain attacks has been targeting Microsoft’s corporate networks to gain access to specific organizations — primarily, U.S.-based IT and government organizations.
Microsoft officially announced the attacks after Reuters obtained an email sent to customers which explained that the threat group Nobelium stole customer-service-agent credentials to gain access and launch attacks against Microsoft customers.
“The Microsoft Threat Intelligence Center is tracking new activity from the Nobelium threat actor,” the software giant said in a blog post. “Our investigation into the methods and tactics being used continues, but we have seen password-spray and brute-force attacks.”
Nobelium, APT29, Cozy Bear, The Dukes: Different Names, Same State-Sponsored Group
Nobelium is the internal Microsoft name for the group believed to be behind the SolarWinds attacks, which also goes by APT29, Cozy Bear and The Dukes. No matter the moniker, the group has been designated by the U.S. government as working with the Russian government.
“All customers that were compromised or targeted are being contacted through our nation-state notification process,” Microsoft said.
The Microsoft Threat Intelligence Team found 45 percent of their customers who were targeted in the attacks are in the U.S. — out of those, 57 percent are IT companies and 20 percent are government agencies.
In addition to password spraying and brute-force attacks, Microsoft said they found info-stealer malware aimed at specific customers.
“As part of our investigation into this ongoing activity, we also detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers,” Microsoft’s announcement said. “The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign.”
From Nuisance to National Security Threat
As Microsoft continues to track down this latest breach, companies need to look beyond basic password protections, according to Chris Clements with Cerberus Sentinel.
“Picking passwords that are both strong and unique to each site or application can be daunting but there are mnemonic devices and password managers that can ease the burden, but the biggest security improvements an individual user can make come from implementing non-SMS based two factor authentication for all their accounts,” Clements said.
Clements added limiting access and continuous monitoring should also be part of an organization’s protections.
“Organizations can also go a step further in shoring up defenses against password attacks by implementing conditional access as well as continuously monitoring for suspicious activity like credential stuffing attacks against their environment,” he said.
Erich Kron with KnowBe4 sees this type of attack on the biggest organizations as a sign that attackers are getting more ambitious in picking their victims for the maximum payoff.
“Once again, we are seeing how modern cybercrime is targeting more than just individuals or small organizations,” Kron said. “We are seeing how it is being used to go after larger targets, including the federal government. These attacks are no longer a nuisance, but instead represent a real and significant threat to our national security.”
Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free.